Why almost half of organizations want to replace their SIEM


If you could update your security information and event management (SIEM) solution, what would you change? SIEMs have been around a long time and have been core to security operations. You wouldn’t be alone in wanting to make some upgrades. According to new research, 44% of respondents — including 51% of CEOs and 52% of CTOs surveyed — are looking to replace or augment their SIEM. 

Cybersecurity Solutions for a Riskier World,” led by ThoughtLab and co-sponsored by Elastic, surveyed 1,200 executives about their organizations’ cybersecurity postures. SIEM was their top planned technology investment over the next two years — but many are looking for something different. Here’s what’s driving the change.

[Related article: Cybersecurity is a data challenge, and better search technology is key to improving visibility and action]

1. Cloud migration drives new SIEM demands

More than one in five executives say increased cloud use has exposed their organization to new threats, according to ThoughtLab. To mitigate these risks, establishing visibility in cloud-native environments is crucial — facilitated by solutions that can be deployed on cloud and monitor cloud environments. “As workloads migrate to the cloud, monitoring cloud deployments becomes essential to the business,” said Mandy Andress, CISO at Elastic.

Advanced analytics are also a factor in SIEM replacement. Many traditional SIEMs might be rules based or use a correlation engine. Maintaining and managing rules, especially as more infrastructure gets digitized, can be heavy work. A SIEM (or newer XDR platform) with embedded capabilities like cloud-specific out-of-the-box rules, analytics, and machine learning to draw out anomalies enables quick investigations of suspicious activity.

With modern SIEMs, such as Elastic’s cloud-based SIEM, it’s possible to operate at scale and analyze data across cloud and hybrid environments. Elastic Security allows users to cost-effectively tap into as much security data as needed for cloud monitoring, detections, investigative context, threat hunting, and more.  

2. Users seek solutions with integrated data — and more of it

Interviewees for a Forrester Total Economic Impact™ (TEI) of Elastic report identified siloed data as a common issue with past solutions. These organizations sought solutions that could include more data sources and better integrate data, all at a lower cost and with better query response. In an age of digitization and decentralization, timely and easy access to data is crucial to identify infrastructure issues and security threats that can impact business growth.

With Elastic Security, the Elastic Common Schema (ECS) makes data modeling, ingestion, integration, and querying easier, faster, and more effective. Teams can see entire sequences of events, which speeds root cause identification and response.

3. Fast response times are critical for MTTD and MTTR

Organizations interviewed for the aforementioned Forrester TEI study said running queries in their past solutions could take a long time — long enough to go brew a pot of coffee and return to a query still running, as one security director quipped.

Jokes aside, speed of processing is a serious advantage for quick detection and response. The greater the mean time to detect (MTTD) and mean time to respond (MTTR) to a breach, the greater the potential damages. ThoughtLab compared organizations without a major breach over the past year to those that had suffered multiple major breaches. Those without a major breach were able to decrease MTTD by almost 20 days and MTTR by almost a week. 

Elastic’s fast response time supports critical activities like real-time monitoring, threat hunting, and root cause analysis. Coupled with contextual insights on alerts, integrated endpoint security capabilities, support for on-demand osquery investigations, ML models to analyze data from a variety of sources, integrations with security orchestration platforms, and built-in case management capabilities, Elastic not only accelerates the time to detect a threat but also speeds up time consuming investigation and response activities. A retail security director noted that with Elastic, “a query off 4.5 PB of data, about 90 days of data, takes around 30 seconds, while a query off of a week of data will finish almost instantaneously.”

Reducing breach costs with Elastic Security

CISOs surveyed by ThoughtLab identified business disruption as one of the main impacts of breaches in 2020 and 2021. The costs of business interruption and staff downtime alone can run high, not to mention other potential impacts like reputational loss and replacement costs added on top.

Ultimately, the Forrester TEI study totaled a data breach risk reduction of more than $6.5 million over three years with Elastic Security. For more on reducing the risk of a data breach with Elastic Security, download the Total Economic Impact™ study.